Thoughts on DarkSeoul: Data Sharing and Targeted Attackers

The attacks against South Korean media and banking organizations last week severely disrupted a handful of organizations with a coordinated distribution of “wiper” malware designed to destroy data on hard drives and render them unbootable. At 14:00 KST on March 20, 2013, the wiper was triggered across three media organizations and four banks, setting off a firestorm of speculation and finger-pointing and that which continues as of this writing. In this post, I’ll share a perspective no one else seems to be talking about, but may be the real motivation behind these attacks.

The What and the Possible Why

Let’s start with what we know:

The attack was highly targeted

The malware was specifically designed to distribute the wiper payload throughout the impacted organizations

The malware was timed to deploy its destructive payload simultaneously across all affected organizations

The resulting loss of data and downtime has been severe

While the “what” of the attack is well established, the “why” and “how” are still a matter of debate. Theories postulated include an outright act of warfare from North Korea designed to economically disrupt South Korea, or an act of sabotage to cover the tracks of data exfiltration allegedly wrought by China. But what if there were an explanation that was less about countries and politics and more about that all-time motivator of crime: money? Consider, if you will, the following timeline.

December 2011: The FBI releases an advisory warning of banking Trojans that launch a Distributed Denial of Service (DDoS) attack against banks presumably to cover the tracks of their wiring fraudulent funds from victims’ accounts.

October 2012: RSA warns of a new breed of cybercriminals constructing a sophisticated Trojan campaign in which “the gang will set a pre-scheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems.”

March 20, 2013: At 1400 KST, the DarkSeoul malware payload is enacted against banks and media organizations in South Korea.

Coincidentally, one of the malware binaries identified in the DarkSeoul attacks is a banking Trojan that specifically targets customers of these same Korean banks. In the days leading up to the payload, antivirus vendor Avast observed a malicious injection attempting to deliver this same binary via a compromised website registered to the Korea Software Property Rights Council (spc.or.kr). Cisco Web Security traffic logs reveal that the website registered to Daewoong Pharmaceutical (daewoong.co.kr) was similarly compromised. Both sites were injected with iframes that attempted to deliver exploit code from the same attack site: rootadmina2012.com. The resulting scripts attempted to exploit a vulnerability in Microsoft XML core services, described in MS12-043.

Based on the initial reports, we found no indication that customers protected by Cisco security products were compromised by the suggested first-stage web and email attacks. In fact, we found only a handful of events in the SIO dataset that relate to the malicious domains or first stage exploitation. As well, we have evidence that no exploit was delivered in some instances: the attack attempts against Cisco customers stopped at the iframe. Given this supporting data in our traffic logs, the Cisco Threat Research & Communications (TRAC) team supports the premise that these attacks were highly targeted.

Efficacy of Layered Defenses

Additionally, details about the second stage malware, which delivered follow-on tools for further exploitation (colloquially known as a “dropper”), highlight the attacker’s awareness and specific reconnaissance against their targets. In McAfee’s blog about the incident, they show that the malware disabled two popular Korean host-based antivirus engines, AhnLab and Hauri. Attackers often leverage techniques to avoid or disable specific defenses, further underscoring the need for defenders to present a variety of overlapping solutions to increase pressure on attackers and make it more likely that they are prevented from fully realizing their intended attacks.

While no Cisco Security Customers were impacted in this particular attack, what Cisco knows of the first-stage exploits suggests that Cisco had a wide variety of protections in place to stop these attacks had they been targeted: web reputation, email outbreak filters, IPS signatures, and more. Any time an attacker is using reconnaissance, specifically to target an organization or set of organizations, every additional layer is a hurdle that must be jumped and could make the difference from being a target to being a victim.

Importance of Data Sharing

There is a renewed push for data sharing and transparency in the industry, and incidents like this one highlight how important this sharing is to the entire community of defenders. Cisco SIO pools the intelligence and capabilities of a wide suite of security solutions to deliver an unparalleled perspective to our customers, and customers who opt-in to providing us with telemetry further improve the efficacy of Cisco security products for each other.

Likewise, as a community of defenders we can share details in the appropriate settings to promote more effective responses to imminent, in progress, or executed attacks. Some details can be shared widely, like the indicators included in the anti-virus vendor postings mentioned previously; Cisco has been a member of FIRST for many years, because it provides a more focused forum to connect with other incident responders if more discretion is required. But as a community, we must understand that sharing is a critically important leverage that we can exert over attackers who direct their resources at specific targets, with the advantage of specific reconnaissance. Even if an attack is targeted at one organization today, it doesn’t mean that the same attacker won’t reuse the kinds of exploits or techniques against another set of targets in the future.

Conclusion

Customers protected by Cisco security products were well protected, or would have been had they been targeted in these attacks, due to the deep and varied protections that our solutions have in place. But there is a significant benefit for all defenders if data-sharing is combined with community efforts to improve these kinds of comprehensive defenses. Together, layered defenses and effective sharing are key capabilities that are essential to combating increasingly targeted attacks.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.